Skip to content

Commit 9d9da68

Browse files
dsotirho-ucscdsotirho-ucsc
committed
fixup! Document web application vulnerability scanning procedure (#7021)
1 parent 47e56fa commit 9d9da68

File tree

1 file changed

+40
-22
lines changed

1 file changed

+40
-22
lines changed

OPERATOR.rst

Lines changed: 40 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -668,8 +668,12 @@ the tarball from the most recent pipeline on that branch.
668668
Running a ZAP vulnerability scan
669669
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
670670

671-
ZAP Setup
672-
"""""""""
671+
Setting up ZAP
672+
""""""""""""""
673+
674+
Follow these steps to set up the ZAP application for scanning the HCA and
675+
AnVIL systems. This set up only needs to be completed once, and for future scans
676+
you can simply jump to `Launching ZAP`_.
673677

674678
- Download ZAP from https://www.zaproxy.org/
675679

@@ -698,14 +702,14 @@ ZAP Setup
698702
- You may now close the ZAP application. The next time you open the application,
699703
the settings you set above will be used.
700704

701-
Running an authenticated scan
702-
"""""""""""""""""""""""""""""
705+
Launching ZAP
706+
"""""""""""""
703707

704-
The scans you run need be run with authenticated requests. The process for
705-
running an authenticated scan is to first obtain an Azul authentication token,
706-
and then launch the ZAP application with the token set as an environment
707-
variable. The token will then automatically be added as a header to all requests
708-
made during the scan. See the `ZAP documentation`_ for more information.
708+
All scans need be run with authenticated requests. The process for running an
709+
authenticated scan is to first obtain an Azul authentication token, and then
710+
launch the ZAP application with the token set as an environment variable. The
711+
token will then automatically be added as a header to all requests made during
712+
the scan. See the `ZAP documentation`_ for more information.
709713

710714
.. _`ZAP documentation`: https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
711715

@@ -727,24 +731,34 @@ made during the scan. See the `ZAP documentation`_ for more information.
727731

728732
- ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh``
729733

730-
- After the ZAP application has opened, follow the steps below to create a new
731-
session and run a scan. After your scan has completed and you have generated
732-
a report, close the ZAP application, and repeat the steps above with a new
733-
authentication token for each additional scan you wish to run.
734+
- After the ZAP application has opened, follow the steps below to `create a new
735+
session`_ and run a scan. After your scan has completed and you have
736+
generated a report, close the ZAP application, and repeat the steps above with
737+
a new authentication token for each additional scan you wish to run.
738+
739+
.. _`create a new session`: #zap-sessions
734740

735741
ZAP Sessions
736742
""""""""""""
737743

738744
With the ZAP application open, you must start a new session prior to running a
739745
new scan. Failure to do so can pollute the scan results with the findings from
740-
the previous scan.
746+
the previous scan. A new session is created each time you launch ZAP, or
747+
alternatively, to manually open a new session, from the menu select *File* –
748+
*New Session*.
741749

742750
If you are prompted with options to persist the ZAP session, select the *No, I
743751
do not want to persis this session at this moment in time* option and click
744-
*Start*. You may now continue with the scan of your choice.
752+
*Start*.
753+
754+
You may now continue with either a `Data Portal / Browser scan`_ or `Azul
755+
Indexer / Service API scan`_.
745756

746-
Running a Portal / Browser scan
747-
"""""""""""""""""""""""""""""""
757+
.. _`Portal / Browser scan`: #running-a-portal-browser-scan
758+
.. _`Azul Indexer / Service API scan`: #running-an-azul-indexer-service-api-scan
759+
760+
Running a Data Portal / Browser scan
761+
""""""""""""""""""""""""""""""""""""
748762

749763
- From the *Quick Start* tab, click *Automated Scan*
750764

@@ -765,7 +779,9 @@ Running a Portal / Browser scan
765779
instead, take note of the *Current Status* values in the ZAP window footer.
766780
Proceed when all scan counts show ``0``.
767781

768-
- Generate a report (see section below)
782+
- Continue with the steps below to `generate a report`_.
783+
784+
.. _`generate a report`: #generating-a-zap-report
769785

770786
Running an Azul Indexer / Service API scan
771787
""""""""""""""""""""""""""""""""""""""""""
@@ -779,10 +795,12 @@ In order to run an API scan you must first import the OpenAPI definition.
779795

780796
- Click *Import*
781797

782-
After importing the OpenAPI definition, you may now follow the instructions
783-
above for running an ``Automated Scan``. When entering the URL to attack, use
784-
the base URL of the Azul indexer or service with no additional path components
785-
(e.g. https://service.explore.anvilproject.org/).
798+
After importing the OpenAPI definition, the process is then the same as running
799+
a `Data Portal / Browser scan`_. When entering the URL to attack, use the base
800+
URL of the Azul indexer or service with no additional path components (e.g.
801+
https://service.explore.anvilproject.org/).
802+
803+
.. _`Data Portal / Browser scan`: #running-a-data-portal-browser-scan
786804

787805
Generating a ZAP Report
788806
"""""""""""""""""""""""

0 commit comments

Comments
 (0)